Ecovacs home robots can be hacked to spy on their owners, researchers say (techcrunch.com)
from lemmee_in@lemm.ee to technology@lemmy.world on 12 Aug 2024 09:51
https://lemm.ee/post/39437091

Malicious hackers can take over control of vacuum and lawn mower robots made by Ecovacs to spy on their owners using the devices’ cameras and microphones, new research has found.

Security researchers Dennis Giese and Braelynn are due to speak at the Def Con hacking conference on Saturday detailing their research into Ecovacs robots. When they analyzed several Ecovacs products, the two researchers found a number of issues that can be abused to hack the robots via Bluetooth and surreptitiously switch on microphones and cameras remotely.

“Their security was really, really, really, really bad,” Giese told TechCrunch in an interview ahead of the talk.

The researchers said they reached out to Ecovacs to report the vulnerabilities but never heard back from the company, and believe the vulnerabilities are still not fixed and could be exploited by hackers.

#technology

threaded - newest

RegalPotoo@lemmy.world on 12 Aug 2024 11:05 next collapse

valetudo.cloud

BlackEco@lemmy.blackeco.com on 12 Aug 2024 12:05 collapse

As a note, Dennis Giese —who is the co-author of the Defcon talk mentioned in the article— is also the author of Dustcloud, which is used as the basis of Valetudo. Though I’m not aware that Valetudo will ever support Ecovacs robots.

wewbull@feddit.uk on 12 Aug 2024 14:46 collapse

It might now.

BlackEco@lemmy.blackeco.com on 12 Aug 2024 15:24 collapse

AFAIK Hypfer (Valetudo maintainer) has no intention to support new robots other than Dreame

NeoNachtwaechter@lemmy.world on 12 Aug 2024 17:56 collapse

You had better read their list of supported devices instead of saying such a …

BlackEco@lemmy.blackeco.com on 12 Aug 2024 18:46 collapse

I meant add support to new robots other than Dreame. On Telegram he explicitly said he won’t support any new Roborock nor Ecovacs

NeoNachtwaechter@lemmy.world on 12 Aug 2024 11:17 next collapse

hackers can take over control of vacuum and lawn mower robots made by Ecovacs to spy on their owners using the devices’ cameras and microphones

Honestly, did anyone believe that this wouldn’t happen, sooner or later?

When I bought me such a device, I made sure that I would be able to install a cloud-free firmware on it. First thing. Before I wanted to use it at all.

AlphaAutist@lemmy.world on 12 Aug 2024 18:43 collapse

What did you end up using?

NeoNachtwaechter@lemmy.world on 13 Aug 2024 02:07 collapse

Dreame D10S Plus with Valetudo.

Commanding it from Home Assistant.

zaphod@sopuli.xyz on 12 Aug 2024 11:18 next collapse

Am I the only one who thinks vacuums, washing machines, fridges and so on shouldn’t be connected to the internet?

lemmee_in@lemm.ee on 12 Aug 2024 11:41 next collapse

I don’t even have a smart tv, I don’t want anything other than my phone and laptop connected to the internet.

JudahBenHur@lemm.ee on 12 Aug 2024 11:48 next collapse

no you are not. I will not buy an internet connected anything as long as possible.

Telorand@reddthat.com on 12 Aug 2024 11:59 collapse

I’ve seen tower fans with Wifi. Why on earth does a fan need to contact the internet?

WhatAmLemmy@lemmy.world on 12 Aug 2024 14:47 collapse

Most smarthome products are only worthwhile if they’re coupled with other devices in IFTTT style workflows. Like a morning routine where lights come on, the blinds open, and your playlist starts when you fist bump the air or yell “still alive”. A fan is stupid because you can control most fans from a smart plug, but a fan could come in handy for a grow operation, to maintain a level of humidity or whatever; coupled with a smart hygrometer/thermometer, irrigation, and server.

The problem is capitalism — every company tried to create their own walled gardens out of pure greed, so nobody except rich morons were willing to commit to automating their lives with a product/brand/platform that may not exist tomorrow, and won’t work with any other brand/platforms products, so all they’ve done is collectively hamstrung the entire markets growth, and created mountains of e-waste. Things are starting to move in a better direction, but until I can setup a cost-effective smarthome 100% offline, LAN only, managed by my own FOSS home server, I’m not gonna bother with anything more than a few standalone devices (e.g. pet-cam, mood lighting, etc).

NeoNachtwaechter@lemmy.world on 12 Aug 2024 18:04 collapse

until I can setup a cost-effective smarthome 100% offline, LAN only, managed by my own FOSS home server, I’m not gonna bother

I have that for several years now, with Tasmota devices and a Home Assistant server.

I am going one step further even: most of the logic continues to work even if the Home Assistant server is down. I just have less additional control by smartphone then, and less statistics.

Imgonnatrythis@sh.itjust.works on 12 Aug 2024 11:56 next collapse

With pets at home a robot camera can be kind of nice. Seems obvious that security needs to be a priority with something like that though. It’s just a shame these companies are so sloppy with it.

barsquid@lemmy.world on 12 Aug 2024 12:13 next collapse

I keep asking this in comments around this kind of article. People are like, “it’s convenient though.”

Lifecoach5000@lemmy.world on 12 Aug 2024 14:45 next collapse

I’m not super happy about it, but my roomba is absolutely essential now that I’ve been spoiled with it. I don’t like the idea of any of my appliances being online straight tied to a vendor’s app and service - but I’m willing to accept the trade off in this instance. Maybe someday I’ll upgrade to a different robot vac. I know there are FOSS setups to work around some of those challenges and circumvent some of the BS.

Wildly_Utilize@infosec.pub on 12 Aug 2024 15:48 next collapse

As someone who has never felt the need for a roomba

What so you like so much about it?

Lifecoach5000@lemmy.world on 12 Aug 2024 15:53 next collapse

I dispise vacuuming and sweeping and I have 2 canines, so there’s a lot of fur and grime on the floor that needs regular tending to. I bought the roomba model that is self charging and self emptying, so you can just let it run in a set it and forget it fashion.

Alternatively, it also actually helps motivate me to do other chores as well. I have to pick up everything off the floor before running the vac, and at that point I just start tidying up other things while letting it run.

Wildly_Utilize@infosec.pub on 12 Aug 2024 15:58 collapse

Oh OK cool I didn’t realize they had self cleaning ones now. That does sound really convenient for hairy dogs

Solemn@lemmy.dbzer0.com on 13 Aug 2024 02:32 collapse

Mine also mops, refills the mop water and soap, washes it’s own mop, and drains the dirty water down the drain.

dirthawker0@lemmy.world on 12 Aug 2024 16:22 next collapse

I hate lugging around that heavy noisy thing, and I don’t have pets. I’m a bit shocked at how much hair two humans drop in a week. The robovac runs twice a week and I empty it once a week, and it keeps the more open/obvious spaces looking pretty pristine. Dust on a shiny floor really shows. There are places where it cannot go and those need to be done by me, but they’re less visible areas so no need for frequent vacuuming.

Laborer3652@reddthat.com on 13 Aug 2024 04:22 collapse

I have a German Shepherd who sheds a lot and my vacuum runs every, single, day.

Being able to offload all that work to a machine is a godsend.

Wildly_Utilize@infosec.pub on 13 Aug 2024 13:29 collapse

Ya makes sense. I had 2 great Pyrenees for years

Glad you like it

skyspydude1@lemmy.world on 13 Aug 2024 19:04 collapse

The good news with iRobot is that they actually have pretty solid cybersecurity. They also do a pretty great job of supporting parts for old robots and make them quite easy to repair. For a typical consumer product, I feel like they’re far better than most companies in terms of how shitty they could be vs how shitty they actually are.

tudor@lemmy.world on 12 Aug 2024 19:54 next collapse

I’d like some of them to connect to my local network, but not the Internet. I’ll work it out myself from there onwards and make some remote control solution myself, thank you.

GreyEyedGhost@lemmy.ca on 13 Aug 2024 02:19 collapse

I don’t disagree, but I think automation is cool, especially if you can keep it local (or have the tools to secure it on the internet). Valetudo can help make that possible. My current robot vacuum is pretty crappy, but it doesn’t have cameras or mapping. My next will be one that has mapping and can be easily flashed with local hosting.

MrPoopbutt@lemmy.world on 13 Aug 2024 15:25 collapse

Flashing a dreame L10s was difficult but worth it. I’d recommend it if you have the expertise. I did end up having to buy a USB breakout board from eBay, though.

GreyEyedGhost@lemmy.ca on 13 Aug 2024 18:46 collapse

I have just enough skill with hardware to get away with it with some swearing.

Empricorn@feddit.nl on 12 Aug 2024 12:18 next collapse

This is incredible. I mean it’s dystopian and bad… But it’s also cyberpunk as fuck.

umbrella@lemmy.ml on 12 Aug 2024 18:22 collapse

cyberpunk is supposed to be dystopian…

bruhduh@lemmy.world on 12 Aug 2024 12:25 next collapse

There’s S in IOT that stands for security

Brkdncr@lemmy.world on 12 Aug 2024 13:38 next collapse

Ecovacs app is garbage and has not improved much in years so this doesn’t surprise me.

Ravi@feddit.org on 12 Aug 2024 21:18 collapse

For some robtos there seems to be a self hosted version of the servers available. Though I haven’t found the actual installation guide yet.

Reference

NeoNachtwaechter@lemmy.world on 13 Aug 2024 15:18 collapse

Good to know.

But does it disable these current security holes?

Ravi@feddit.org on 13 Aug 2024 17:06 collapse

I can’t tell for sure, but IMO it’s pretty secure when you can block internet access for the robots as a whole.

NeoNachtwaechter@lemmy.world on 13 Aug 2024 20:06 collapse

Well, they refuse to work… :)

and no, maybe it is not secure even then, since the current attack goes by bluetooth